客观的
我希望能够使用 Fargate 部署 AWS EKS。我已经成功地进行了部署node_group
。然而,当我转而使用 Fargate 时,Pod 似乎都陷入了挂起状态。
我当前的代码是什么样的
我正在使用 Terraform 进行配置(不一定是在寻找 Terraform 答案)。这就是我创建 EKS 集群的方式:
module "eks_cluster" {
source = "terraform-aws-modules/eks/aws"
version = "13.2.1"
cluster_name = "${var.project_name}-${var.env_name}"
cluster_version = var.cluster_version
vpc_id = var.vpc_id
cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
enable_irsa = true
subnets = concat(var.private_subnet_ids, var.public_subnet_ids)
create_fargate_pod_execution_role = true
write_kubeconfig = false
fargate_pod_execution_role_name = "${var.project_name}-role"
# Assigning worker groups
node_groups = {
my_nodes = {
desired_capacity = 1
max_capacity = 1
min_capacity = 1
instance_type = var.nodes_instance_type
subnets = var.private_subnet_ids
}
}
}
这就是我配置 Fargate 配置文件的方式:
//# Create EKS Fargate profile
resource "aws_eks_fargate_profile" "fargate_profile" {
cluster_name = module.eks_cluster.cluster_id
fargate_profile_name = "${var.project_name}-fargate-profile-${var.env_name}"
pod_execution_role_arn = aws_iam_role.fargate_iam_role.arn
subnet_ids = var.private_subnet_ids
selector {
namespace = var.project_name
}
}
这就是我创建并附加所需策略的方式:
//# Create IAM Role for Fargate Profile
resource "aws_iam_role" "fargate_iam_role" {
name = "${var.project_name}-fargate-role-${var.env_name}"
force_detach_policies = true
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "eks-fargate-pods.amazonaws.com"
}
}]
Version = "2012-10-17"
})
}
# Attach IAM Policy for Fargate
resource "aws_iam_role_policy_attachment" "fargate_pod_execution" {
role = aws_iam_role.fargate_iam_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
}
我尝试过但似乎不起作用
Running kubectl describe pod
I get:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 14s fargate-scheduler Misconfigured Fargate Profile: fargate profile fargate-airflow-fargate-profile-dev blocked for new launches due to: Pod execution role is not found in auth config or does not have all required permissions for launching fargate pods.
我尝试过但没有成功的其他事情
我尝试通过模块的功能映射角色,例如:
module "eks_cluster" {
source = "terraform-aws-modules/eks/aws"
version = "13.2.1"
cluster_name = "${var.project_name}-${var.env_name}"
cluster_version = var.cluster_version
vpc_id = var.vpc_id
cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
enable_irsa = true
subnets = concat(var.private_subnet_ids, var.public_subnet_ids)
create_fargate_pod_execution_role = true
write_kubeconfig = false
fargate_pod_execution_role_name = "${var.project_name}-role"
# Assigning worker groups
node_groups = {
my_nodes = {
desired_capacity = 1
max_capacity = 1
min_capacity = 1
instance_type = var.nodes_instance_type
subnets = var.private_subnet_ids
}
}
# Trying to map role
map_roles = [
{
rolearn = aws_eks_fargate_profile.airflow.arn
username = aws_eks_fargate_profile.airflow.fargate_profile_name
groups = ["system:*"]
}
]
}
但我的尝试没有成功。我该如何调试这个问题?其背后的原因是什么?